[KLUG Members] New security tool
Adam Williams
members@kalamazoolinux.org
11 Apr 2002 08:11:41 -0400
I was burrowing through PAM announcements this morning and discovered
that the capability support in the kernel is now operational. In the
past Linux/UNIX services (sendmail, ntp, httpd) have had to start as
root (setuid) and then shed root privilages in order to bind to a port.
Or just run setuid to be able to modify the system clock, etc... Very
all or nothing. Capabilities lets the admin grant specific capabilities
to a non-privilages process: bind to port below 1024, modify system
clock, reboot system, adjust process priorities, etc.... This is a big
step forward, and in conjunction with Kerberos V one should be able to
construct an almost bullet proof system. I personally dream of the day
when the whole concept of "superuser" has faded away.
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
file:///usr/src/linux/include/linux/capability.h
http://freshmeat.net/projects/pam_capability/